Skip to content

Add Vercel AI SDK lockfile example and verified case study #478

Open
Open
Add Vercel AI SDK lockfile example and verified case study#478
Assignees
Ayush7614
Labels
documentationImprovements or additions to documentationgood first issueGood for newcomers
@Ayush7614

Description

@Ayush7614
Ayush7614
opened on May 27, 2026

Summary

Add a real-world Vercel AI SDK monorepo lockfile snapshot and a verified baseline scan case study to CVE Lite CLI.

Motivation

The Vercel AI SDK is one of the most widely adopted TypeScript libraries for building AI-powered applications and agents. Its pnpm monorepo spans provider integrations, examples, and tooling with a large dependency graph. A committed lockfile snapshot and documented case study would:

  • Add AI/LLM framework coverage to the case study portfolio (complementing CMS and meta-framework examples)
  • Show how CVE Lite CLI handles a high-visibility pnpm monorepo with mixed direct and transitive AI-toolchain risk
  • Document verified baseline findings, fix command groups, and remaining risk without applying remediation
  • Provide a side-by-side comparison with pnpm audit on the same lockfile

Preliminary scan (CVE Lite CLI v1.18.0, lockfile-only, 2026-05-27)

Metric Value
Upstream revision (candidate) 056599241eb0b67dd57e41301caa054013c974d2
Lockfile pnpm-lock.yaml
Resolved packages 3,570
Vulnerable packages 55 (131 OSV advisory matches)
Severity 2 critical · 22 high · 27 medium · 4 low

Numbers are from a lockfile-only baseline scan and must be re-verified locally before publishing the case study.

Proposed changes

  • Add examples/ai/ (or examples/vercel-ai/) with package.json and pnpm-lock.yaml pinned to a specific upstream commit
  • Add website/docs/case-studies/vercel-ai.md with verified scan results (CVE Lite CLI version, pnpm audit comparison, reproducible commands)
  • Wire the case study into docs sidebar, README, examples/readme.md, and CHANGELOG

Scope

  • Documentation and example fixture only
  • No changes to scanner source code or existing examples
  • All scan metrics must be reproduced locally before publishing (baseline only — no fake “after” remediation results)

Acceptance criteria

  • Lockfile snapshot is pinned to a documented upstream revision
  • Case study includes scan verification section with reproduce commands
  • Comparison note explains CVE Lite vs native audit count differences (if totals differ)
  • Baseline findings table matches live scan JSON output

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentationgood first issueGood for newcomers

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions